This Overlay terraform module can create a Storage Account and manage related parameters (Threat protection, Network Rules, Blob Containers, File Shares, Private Endpoints, etc.) to be used in a SCCA compliant Network.
This module can be SCCA compliant and can be used in a SCCA compliant Network. Enable private endpoints and SCCA compliant network rules to make it SCCA compliant.
For more information, please read the SCCA documentation.
If you need to enable Active Directory or AAD DS authentication for Azure File on this Storage Account, please read the Microsoft documentation and set the required values in the file_share_authentication variable.
| Name | Version |
|---|---|
| terraform | >= 1.3 |
| azurenoopsutils | ~> 1.0.4 |
| azurerm | ~> 3.22 |
| Name | Version |
|---|---|
| azurenoopsutils | ~> 1.0.4 |
| azurerm | ~> 3.22 |
| Name | Source | Version |
|---|---|---|
| mod_azure_region_lookup | azurenoops/overlays-azregions-lookup/azurerm | ~> 1.0 |
| Name | Type |
|---|---|
| azurerm_advanced_threat_protection.example | resource |
| azurerm_management_lock.resource_group_level_lock | resource |
| azurerm_private_dns_a_record.a_record | resource |
| azurerm_private_dns_zone.dns_zone | resource |
| azurerm_private_dns_zone_virtual_network_link.vnet_link | resource |
| azurerm_private_endpoint.pep | resource |
| azurerm_resource_group.rg | resource |
| azurerm_storage_account.storage | resource |
| azurerm_storage_account_network_rules.network_rules | resource |
| azurerm_storage_container.container | resource |
| azurerm_storage_management_policy.lcpolicy | resource |
| azurerm_storage_queue.queue | resource |
| azurerm_storage_share.share | resource |
| azurerm_storage_table.table | resource |
| azurenoopsutils_resource_name.sa | data source |
| azurerm_private_endpoint_connection.pip | data source |
| azurerm_virtual_network.vnet | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| access_tier | Defines the access tier for BlobStorage, FileStorage and StorageV2 accounts. Valid options are Hot and Cool, defaults to Hot. |
string |
"Hot" |
no |
| account_kind | Defines the Kind of account. Valid options are BlobStorage, BlockBlobStorage, FileStorage, Storage and StorageV2. Changing this forces a new resource to be created. Defaults to StorageV2. |
string |
"StorageV2" |
no |
| account_replication_type | Defines the type of replication to use for this Storage Account. Valid options are LRS, GRS, RAGRS, ZRS, GZRS and RAGZRS. |
string |
"ZRS" |
no |
| account_tier | Defines the Tier to use for this Storage Account. Valid options are Standard and Premium. For BlockBlobStorage and FileStorage accounts only Premium is valid. Changing this forces a new resource to be created. |
string |
"Standard" |
no |
| add_tags | Map of custom tags. | map(string) |
{} |
no |
| advanced_threat_protection_enabled | Boolean flag which controls if advanced threat protection is enabled, see documentation for more information. | bool |
false |
no |
| allowed_cidrs | List of CIDR to allow access to that Storage Account. | list(string) |
[] |
no |
| containers | List of objects to create some Blob containers in this Storage Account. | list(object({ |
[] |
no |
| create_storage_account_resource_group | Should the storage account be created in a separate resource group? | bool |
false |
no |
| custom_domain_name | The Custom Domain Name to use for the Storage Account, which will be validated by Azure. | string |
null |
no |
| default_firewall_action | Which default firewalling policy to apply. Valid values are Allow or Deny. |
string |
"Deny" |
no |
| default_tags_enabled | Option to enable or disable default tags. | bool |
true |
no |
| deploy_environment | Name of the workload's environnement | string |
n/a | yes |
| enable_advanced_threat_protection | Threat detection policy configuration, known in the API as Server Security Alerts Policy. Currently available only for the SQL API. | bool |
false |
no |
| enable_blob_private_endpoint | Manages a Private Endpoint to Azure Storage Account for Blob | bool |
false |
no |
| enable_resource_locks | (Optional) Enable resource locks | bool |
false |
no |
| enable_table_private_endpoint | Manages a Private Endpoint to Azure Storage Account for Tables | bool |
false |
no |
| environment | The Terraform backend environment e.g. public or usgovernment | string |
n/a | yes |
| existing_private_dns_zone | Name of the existing private DNS zone | any |
null |
no |
| existing_subnet_id | ID of the existing subnet | any |
null |
no |
| file_share_authentication | Storage Account file shares authentication configuration. | object({ |
null |
no |
| file_share_cors_rules | Storage Account file shares CORS rule. Please refer to the documentation for more information. | object({ |
null |
no |
| file_share_properties_smb | Storage Account file shares smb properties. | object({ |
null |
no |
| file_share_retention_policy_in_days | Storage Account file shares retention policy in days. | number |
null |
no |
| file_shares | List of objects to create some File Shares in this Storage Account. | list(object({ |
[] |
no |
| hns_enabled | Is Hierarchical Namespace enabled? This can be used with Azure Data Lake Storage Gen 2 and must be true if nfsv3_enabled is set to true. Changing this forces a new resource to be created. |
bool |
false |
no |
| https_traffic_only_enabled | Boolean flag which forces HTTPS if enabled. | bool |
true |
no |
| identity_ids | Specifies a list of User Assigned Managed Identity IDs to be assigned to this Storage Account. | list(string) |
null |
no |
| identity_type | Specifies the type of Managed Service Identity that should be configured on this Storage Account. Possible values are SystemAssigned, UserAssigned, SystemAssigned, UserAssigned (to enable both). |
string |
"SystemAssigned" |
no |
| lifecycles | Configure Azure Storage firewalls and virtual networks | list(object({ prefix_match = set(string), tier_to_cool_after_days = number, tier_to_archive_after_days = number, delete_after_days = number, snapshot_delete_after_days = number })) |
[] |
no |
| location | Azure region in which instance will be hosted | string |
n/a | yes |
| lock_level | (Optional) id locks are enabled, Specifies the Level to be used for this Lock. | string |
"CanNotDelete" |
no |
| min_tls_version | The minimum supported TLS version for the Storage Account. Possible values are TLS1_0, TLS1_1, and TLS1_2. |
string |
"TLS1_2" |
no |
| name_prefix | Optional prefix for the generated name | string |
"" |
no |
| name_suffix | Optional suffix for the generated name | string |
"" |
no |
| network_bypass | Specifies whether traffic is bypassed for 'Logging', 'Metrics', 'AzureServices' or 'None'. | list(string) |
[ |
no |
| network_rules_enabled | Boolean to enable Network Rules on the Storage Account, requires network_bypass, allowed_cidrs, subnet_ids or default_firewall_action correctly set if enabled. |
bool |
true |
no |
| nfsv3_enabled | Is NFSv3 protocol enabled? Changing this forces a new resource to be created. | bool |
false |
no |
| org_name | Name of the organization | string |
n/a | yes |
| public_nested_items_allowed | Allow or disallow nested items within this Account to opt into being public. | bool |
false |
no |
| queue_properties_logging | Logging queue properties | object({ |
{} |
no |
| queues | List of objects to create some Queues in this Storage Account. | list(object({ |
[] |
no |
| resource_group_name | Name of the workload ressource group | string |
n/a | yes |
| shared_access_key_enabled | Indicates whether the Storage Account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). | bool |
true |
no |
| static_website_config | Static website configuration. Can only be set when the account_kind is set to StorageV2 or BlockBlobStorage. |
object({ |
null |
no |
| storage_account_custom_name | Custom Azure Storage Account name, generated if not set | string |
"" |
no |
| storage_blob_cors_rule | Storage Account blob CORS rule. Please refer to the documentation for more information. | object({ |
null |
no |
| storage_blob_data_protection | Storage account blob Data protection parameters. | object({ |
{ |
no |
| subnet_ids | Subnets to allow access to that Storage Account. | list(string) |
[] |
no |
| tables | List of objects to create some Tables in this Storage Account. | list(object({ |
[] |
no |
| use_naming | Use the Azure NoOps naming provider to generate default resource name. storage_account_custom_name override this if set. Legacy default name is used if this is set to false. |
bool |
true |
no |
| use_subdomain | Should the Custom Domain Name be validated by using indirect CNAME validation? | bool |
false |
no |
| virtual_network_name | The name of the virtual network | string |
"" |
no |
| workload_name | Name of the workload_name | string |
n/a | yes |
| Name | Description |
|---|---|
| storage_account_id | Created Storage Account ID |
| storage_account_identity | Created Storage Account identity block |
| storage_account_name | Created Storage Account name |
| storage_account_network_rules | Network rules of the associated Storage Account |
| storage_account_properties | Created Storage Account properties |
| storage_account_uri | Created Storage Account name |
| storage_blob_containers | Created blob containers in the Storage Account |
| storage_file_queues | Created queues in the Storage Account |
| storage_file_shares | Created file shares in the Storage Account |
| storage_file_tables | Created tables in the Storage Account |
| terraform_module | Information about this Terraform module |